Care & Feeding of Your WordPress Website
So, WordPress is installed, and your website is up. Your theme is customized just the way you want it, and all of your content has been uploaded. Now you can sit back and forget about it until the next time you want to change the content, right? Unfortunately, no.
Your WordPress Website is a Car, Not a Poster
Every week I hear from site owners who think of their website as something static, like a poster on the internet. But the internet is a complex and constantly changing environment. WordPress must constantly change with it.
Then WordPress themes and plugins have to change to stay compatible with the WordPress core. When authors discontinue updating themes or plugins, they may cease to work, or worse yet, continue to work, but become vulnerable to hacking. And last, but not least, all of these different moving parts have to interact with each other. The possible combinations of themes & plugins are endless, so there are bound to be a few incompatibilities, even when everything is up to date.
The truth is, your WordPress website is more like a car than a poster. It requires ongoing monitoring and maintenance. You may be able to neglect maintenance for awhile, and see no visible repercussions, but just like with your car, this will catch up with you sooner or later. And just like your car, an ounce of prevention can save you a ton of downtime, money, stress, and regret.
The biggest potential risk of neglect is hacking. You may think your site’s risk of getting hacked is small, especially if it doesn’t get a lot of traffic. Don’t you believe it. Small, unattended sites are hacker candy. Hackers will find your website long before your target audience does. While you’re out looking for your audience, hackers are out looking for you.
Why Hackers Love WordPress
Why do hackers love WordPress? WordPress and its free themes and plugins are “open source.” That means that the programming code is public. Every time an update is released, hackers can compare the new and old code. Once they find a change that was made to correct a security vulnerability, they know how to hack any site that hasn’t updated to the new version yet. Don’t let your site become one of them.
Hackers know that many WordPress sites are built by people who know little or nothing about site security. If your friend or family member built a site for you, that is a labor of love, and I don’t mean to detract from it. But they may not have thought to read up on what the site needed after it was built.
A more common scenario is for build ‘n run developers to set up websites using premium (paid) themes and plugins, without informing you that you will need to purchase licenses to access updates. In fact, to avoid revealing this, they typically don’t mention maintenance at all. As site components become more and more out of date, they become vulnerable to hacking.
Is Being Hacked That Big of a Deal?
People who have been hacked never ask that question! Being hacked is a huge hassle. It can not only take down your website, it can get your email addresses blacklisted, and cause your site to be removed from search engine results. You can lose precious content. Recovering from a hack can take a lot of time and money.
An Ounce of Prevention
The good news is that simple prevention practices go a long way towards reducing your risk of getting hacked.
Choose a Hard to Predict Username
Your username for logging in to your Dashboard should not be “admin.” It should not be your name, your website’s name, or anything else that appears on your website. It should not be the correct spelling of a word (use creative or phonetic misspellings). It should include numbers as well as letters. WordPress usernames are not case sensitive, and cannot include most special characters, so make the most of length and a unique letter/number combination.
Create a Strong Login Password
Strong passwords are a must. The days of using a dictionary word for a password are over. Use a password generator, and have your browser remember it so you don’t have to enter it every time. Your password should be at least 24 characters long, and should include upper and lower case letters, numbers, and special characters. Remember that hackers run automated programs that can attempt to log into your site far more rapidly than a human.
Back Up Regularly
Protect your investment in your WordPress website – back it up! Do not rely on your webhost to do this for you. A good host has redundant backup systems, but mistakes can happen (and not all hosts are good). Realistically, a large webhost with thousands of servers containing tens of thousands of sites will never be as invested in your website as you are.
There are numerous backup options. The right one for you will depend on your particular site and needs. Save your backup files in at least two places (three is better) that are in different physical locations. Your backup schedule should take into account how often your site files change. Remember that you are changing your website files when you perform updates to themes, plugins, or WordPress, even if you haven’t added any new content. Back up at minimum once a month.
Since hackers can identify vulnerabilities in old versions from updates, it’s crucial to install updates as soon as they are released (the same day is best). Updating is easy – just check a box and click a button.
WordPress itself is updated several times a year. Minor updates are automatic, but you may need to log in to your dashboard to install major updates. Themes and plugins are also updated periodically. A security plugin (see next section) can send you update alerts, or you can set up automatic updates.
There are advantages and disadvantages to automatic updates. If you aren’t likely to update promptly when notified, automatic updates may be the best choice for you. However, every now and then, an update can cause a problem. If you perform updates manually, you know right away when this happens, and which update caused it. With automatic updates, days, weeks, or even months may pass before you notice a problem, and by then, it can be harder to identify what caused it.
Use a Security Plugin
The first thing I install on a new WordPress website is a security plugin. There are excellent, free security plugins that protect your site in a myriad of ways. For example, they can scan your files daily to check whether they match the files in the WordPress repository, and email you if there’s a discrepancy. They can alert you to needed updates. They can notify you whenever someone logs in to your dashboard. They can lock out hackers who try to log in, and show you the usernames they tried.
If you are not very technical, you may occasionally need assistance from someone more experienced with WordPress to decide how to respond to alerts from your security plugin. Don’t let this stop you from installing a plugin, however. It can dramatically improve the safety of your site.
Learn to Maintain Your Website
Following the 5 practices above makes your site much more secure against hacking, and keeps you better prepared to restore your site if anything does happen. If you have questions about securing your website, I’d be happy to help you set up your maintenance plan. If there is enough interest, I may offer a mini-course or webinar on WordPress maintenance, so let me know if that sounds good to you.
I also offer flat rate annual maintenance plans if you would like to turn your site maintenance and monitoring over to someone else.
This article applies primarily to self-hosted WordPress sites. Security and updates are managed for you on WordPress.com sites. You can help out by using good usernames and passwords. You can also download backups of your content, which is highly recommended.